I think the majority of security researchers act in this manner
Sure there are people out there that don't, but I think the majority do.
The issue of making money from flaws is a different one in my view. Most of those that do this, also release the information necessary to fix the flaw to the developer of the software affected. These are the good guys. They effectively sell a fix to legitimate business (not malware authors or the Russian Mafia), and at the same time either get those businesses to report the details of the flaw to Microsoft, Google, whomever - or they do so directly themselves.
Remember most of the time if these guys don't find and report these flaws, the first Microsoft et all know about it is when regular users get hit by malware.
Yes there are mercenaries out there, yes there are plenty of kiddies who use and disclose this info for mischief or cash in to the highest bidder.
But my experience has been that most security researchers are responsible people who act in the same way as this guy. And if they decide to make a few dollars to pay the bills, as long as it does no one any harm why not?